cleanup a bit

Signed-off-by: Stephen Gran <steve@lobefin.net>

diff --git a/modules/ferm/files/defs.conf b/modules/ferm/files/defs.conf
index 3c3bc30..608e89f 100644 (file)
--- a/modules/ferm/files/defs.conf
+++ b/modules/ferm/files/defs.conf
@@ -12,8 +12,7 @@
 }
 
 @def &TCP_UDP_SERVICE($port) = {
- proto tcp mod state state (NEW) dport $port ACCEPT;
- proto udp mod state state (NEW) dport $port ACCEPT;
+ proto (tcp udp) mod state state (NEW) dport $port ACCEPT;
 }
 
 @def $HOST_MUNIN  = (192.25.206.33);

diff --git a/modules/ferm/files/ferm.conf b/modules/ferm/files/ferm.conf
index 8229ff8..f761b01 100644 (file)
--- a/modules/ferm/files/ferm.conf
+++ b/modules/ferm/files/ferm.conf
@@ -51,3 +51,9 @@ domain (ip ip6) {
 }
 
 @include 'dsa.d/';
+
+domain (ip ip6) {
+        chain INPUT {
+                jump log_or_drop;
+        }
+}

diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index a083892..3d35bae 100644 (file)
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -43,14 +43,6 @@ class ferm {
                         notify  => Exec["ferm restart"];
         }
 
-        ferm::rule { "dsa-drop":
-                domain          => "(ip ip6)",
-                description     => "Drop everything else",
-                prio            => "99",
-                rule            => "jump log_or_drop"
-        }
-
-
         exec { "ferm restart":
                 command     => "/etc/init.d/ferm restart",
                 refreshonly => true,